diff --git a/roles/dch-proxy/meta/main.yml b/roles/dch-proxy/meta/main.yml
new file mode 100644
index 0000000..7259f30
--- /dev/null
+++ b/roles/dch-proxy/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+- haproxy
diff --git a/roles/dch-proxy/tasks/main.yml b/roles/dch-proxy/tasks/main.yml
new file mode 100644
index 0000000..5d0987f
--- /dev/null
+++ b/roles/dch-proxy/tasks/main.yml
@@ -0,0 +1,20 @@
+- name: ensure main haproxy frontend is configured
+  template:
+    src=frontend-main.haproxy.cfg.j2
+    dest=/etc/haproxy/50-frontend-main.cfg
+    mode=0644
+  notify: reload haproxy
+
+- name: ensure default haproxy backend is configured
+  template:
+    src=backend-myala.haproxy.cfg.j2
+    dest=/etc/haproxy/70-backend-myala.cfg
+    mode=0644
+  notify: reload haproxy
+
+- name: ensure gitea haproxy backend is configured
+  template:
+    src=backend-gitea.haproxy.cfg.j2
+    dest=/etc/haproxy/70-backend-gitea.cfg
+    mode=0644
+  notify: reload haproxy
diff --git a/roles/dch-proxy/templates/backend-gitea.haproxy.cfg.j2 b/roles/dch-proxy/templates/backend-gitea.haproxy.cfg.j2
new file mode 100644
index 0000000..acf02f9
--- /dev/null
+++ b/roles/dch-proxy/templates/backend-gitea.haproxy.cfg.j2
@@ -0,0 +1,7 @@
+backend gitea
+    server gitea git0.pyrocufflink.blue:80 check
+
+
+backend gitea-tls
+    mode tcp
+    server gitea git0.pyrocufflink.blue:443 check
diff --git a/roles/dch-proxy/templates/backend-myala.haproxy.cfg.j2 b/roles/dch-proxy/templates/backend-myala.haproxy.cfg.j2
new file mode 100644
index 0000000..5379f47
--- /dev/null
+++ b/roles/dch-proxy/templates/backend-myala.haproxy.cfg.j2
@@ -0,0 +1,7 @@
+backend myala
+    server myala myala.pyrocufflink.jazz:80 check
+
+
+backend myala-tls
+    mode tcp
+    server myala myala.pyrocufflink.jazz:443 check
diff --git a/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2 b/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
new file mode 100644
index 0000000..8ed785f
--- /dev/null
+++ b/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
@@ -0,0 +1,17 @@
+frontend main
+    bind :::80
+
+    use_backend gitea if { hdr(host) -i git.pyrocufflink.blue }
+    default_backend myala
+
+
+frontend main-tls
+    bind :::443
+    mode tcp
+    option tcplog
+
+    tcp-request inspect-delay 5s
+    tcp-request content accept if { req_ssl_hello_type 1 }
+
+    use_backend gitea-tls if { req_ssl_sni -i git.pyrocufflink.blue }
+    default_backend myala-tls